Skip to main content

Privacy-First by Design

NorthStarMetric is built with privacy as a core architectural principle — not an afterthought. Every component of the system is designed to minimize personal data collection while maximizing attribution accuracy.
NSM was designed for the post-iOS 14 world, where privacy regulations and browser restrictions are the norm. Our architecture proves that accurate attribution and strong privacy are not mutually exclusive.

Core Privacy Principles

No Raw PII Storage

Email addresses, phone numbers, names, and other personally identifiable information are never stored in their original form. All personal data is hashed with SHA-256 before storage.

IP Address Hashing

Full IP addresses are never stored. NSM hashes only the /24 CIDR block (first 3 octets), making it impossible to identify individual users from IP data.

EU Data Residency

All data is stored on servers in the European Union (Hetzner Cloud, Nuremberg, Germany). No data is transferred to third countries.

Automatic Data Deletion

Fingerprint and session data is automatically deleted after 30 days. No manual intervention required — the system enforces retention limits at the database level.

Data Flow Architecture

Here is how data moves through the NSM system, with privacy protections at each stage:
1

Client-Side Collection

The tracking script runs on your store and collects browser signals. At this stage:
  • No cookies are required — NSM uses first-party fingerprinting
  • Browser signals are hashed locally before transmission
  • The script respects consent — if the visitor declines tracking via your CMP, no data is collected
  • All data is sent over HTTPS to track.northstarmetric.io
2

Edge Server Processing

The edge server receives the fingerprint data and:
  • Validates the request (JWT authentication, rate limiting)
  • Strips the full IP address — only the /24 CIDR block hash is retained
  • Passes the anonymized data to the processing pipeline via Redis streams
  • No raw PII touches disk at this stage
3

Identity Resolution

The identity worker processes fingerprints and:
  • Matches against existing visitor records using the Similarity Engine
  • Stores only hashed identifiers — never raw email, phone, or IP
  • Applies idempotency guards to prevent duplicate processing
  • Results are written to ClickHouse with anonymized visitor IDs
4

Attribution Matching

When an order webhook arrives from Shopify:
  • Customer email is hashed (SHA-256) before any matching occurs
  • Phone numbers are hashed before matching
  • The original PII is used only in-memory for hashing and is never persisted
  • Attribution results reference anonymized visitor IDs, not personal data
5

Conversions API Forwarding

When sending conversions to ad platforms (Meta CAPI, Google, TikTok):
  • Customer data is sent in hashed format as required by each platform
  • NSM sends SHA-256 hashed email and phone — the same format the platforms expect
  • No additional PII is shared beyond what the platform requires for matching

IP Address Handling

NSM takes a particularly careful approach to IP addresses: 
Raw IP:     203.0.113.42
CIDR /24:   203.0.113.0/24    (last octet removed)
Stored:     SHA-256(203.0.113.0/24)  (hashed, irreversible)
By hashing at the /24 CIDR level, NSM groups up to 256 possible IP addresses together. This provides enough geographic signal for fraud detection without enabling individual user identification.

What is NOT Stored

To be explicit about what NSM does not store in any form:
DataStatus
Full IP addressesNever stored
Plain-text email addressesNever stored
Plain-text phone numbersNever stored
Customer namesNever stored
Physical addressesNever stored
Payment informationNever stored
Browsing history beyond your storeNever collected
Cross-site tracking dataNever collected

Data Retention Schedule

Data TypeRetentionAuto-Delete
Device fingerprints30 daysYes
Session records30 daysYes
IP hash (CIDR /24)30 daysYes
Email hashesUntil GDPR deletion requestOn request
Ad click IDs90 daysYes
Attribution records2 yearsYes
Order data2 yearsYes
NSM integrates with your existing consent management setup:
NSM hooks into Shopify’s native Customer Privacy API. When a visitor’s consent status changes:
  • Analytics consent granted: Full fingerprinting and tracking enabled
  • Analytics consent denied: All client-side tracking stops immediately
  • Marketing consent denied: Conversions API events are not sent to ad platforms
No additional configuration is needed — this works automatically when installed via the Shopify App Store.

GDPR Webhooks

NSM implements all required Shopify GDPR webhooks:
WebhookWhat Happens
customers/data_requestNSM compiles all data held for the customer and logs it for access request fulfillment
customers/redactAll attribution records for the customer are permanently deleted. Fingerprint and session data is anonymized.
shop/redactAll data associated with the store is permanently deleted (triggered 48 hours after app uninstall)
Data deletion via GDPR webhooks is permanent and irreversible. Once processed, the data cannot be recovered. Deletion is completed within 30 days of receiving the webhook, in compliance with GDPR Article 17.

Infrastructure Security

Beyond privacy-by-design, NSM implements standard security measures:
All data is transmitted over TLS 1.2+ (HTTPS). The edge server uses auto-renewing SSL certificates. No unencrypted HTTP connections are accepted.
ClickHouse storage uses encrypted volumes. Redis data is stored on encrypted disks with authentication enabled.
  • API endpoints verify store ownership (IDOR protection)
  • Shopify webhooks are verified via HMAC signatures
  • JWT authentication on all tracking endpoints
  • Redis requires password authentication
  • ClickHouse access is restricted to internal network only
Each store’s data is logically isolated using store IDs in all database queries. Parameterized queries prevent SQL injection. No store can access another store’s data.

Compliance Summary

RegulationStatusDetails
GDPRCompliantEU hosting, no PII storage, DPA available, all data subject rights implemented
CCPACompliantNo data selling, service provider classification
iOS 14+ ATTCompatibleServer-side tracking operates independently of ATT consent
ePrivacyCompatibleWorks with consent banners, no third-party cookies

Next Steps

Privacy & GDPR

Merchant obligations, privacy policy templates, and DPA information.

How Tracking Works

Technical overview of the tracking pipeline.